Active Directory,
Fraud Management & Cybercrime,
Ransomware
Microsoft Issues Warning: Domain Controllers Used by Ransomware Hackers to Deliver Malware
Microsoft has alerted organizations that ransomware groups are increasingly targeting Active Directory (AD) domain controllers to escalate privileges within compromised networks. This warning underscores a growing trend where nearly 80% of human-operated cyberattacks involve a breached domain controller, as highlighted in a recent blog post by Microsoft.
In these incidents, domain controllers are exploited to deploy crypto-locking malware across corporate environments. Hackers compromise these critical systems to obtain user account password hashes, thereby enabling them to identify and manipulate high-privilege accounts, such as those belonging to IT administrators. This manipulation allows them to escalate their privileges, facilitating broad and damaging ransomware deployments.
“This level of access allows attackers to maximize the impact of their attacks by deploying ransomware on a larger scale,” Microsoft stated in its report. Evidence suggests that one hacking group, identified as Storm-0300, gained initial access to a target’s systems through the company’s virtual private network, subsequently attempting to execute a ransomware attack.
After acquiring administrative credentials, the cybercriminals sought to establish a connection with the domain controller via remote desktop protocol. Their activities included reconnaissance, evasion of security measures, and further privilege escalation to refine their attack strategy.
Despite the rising frequency of attacks targeting domain controllers, Microsoft acknowledges the inherent challenges in securing these servers. As central components to network security, domain controllers manage user authentication and resource allocation. This balancing act complicates the efforts of security teams striving to enhance security without hindering operational effectiveness.
Building capabilities that enable domain controllers to differentiate between malicious and benign activities could be a key strategy for preventing server compromises. Microsoft emphasizes that while it offers robust security defenses, their efficacy is contingent upon organizations keeping their systems updated and implementing measures such as multifactor authentication.
Jason Soroko, a senior fellow at security firm Sectigo, stresses the importance of vigilant customer-side security practices. Even the most advanced protective measures can fail if they are misconfigured or if legacy systems introduce vulnerabilities. Thus, continual attention to security by organizations is crucial to safeguard against the evolving landscape of cyber threats.
